Peter Van Garderen wrote: > This is a shameless bump of a question I posted yesterday: > http://groups.google.com/group/symfony-devs/browse_thread/thread/c245a674985 > 8d765 > > However, I am only doing it because I want to rule out that there might be a > security leak in any number of live Symfony applications out there. > > This is real easy to test in your own application. > > Go to any secured module and change the case on one or more of the letters > in the action name. If you get your login module then you're OK. However, if > you get a 500 or other Template error then your action has executed. This > can be a problem, for example, if someone malaciously calls an update or > delete action. > > See my other post for more details. I am sorry to nag about this but I just > assumed even the potential of this problem being out there would be a > concern for someone.
Isn't it limited to Windows systems (no case sensitive file systems) ?? I only use linux machines and Symfony 1.0 and I always get the login module. So I think I am not concerned. But I noticed that Action = action probably because ucfirst is used anywhere.. Too much magic where it is not needed - too less where it is.. ? :-( Regards, Matthias --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
